Filter
Top Products
290 | VirtualPrivateNetworks DellPowerConnectW-SeriesArubaOS6.2 | User Guide
5. In the Source Network and Source Subnet Mask fields, enter the IP address and netmask for the source (the
local network connected to the controller). (See controller A in Figure 78.)
6. In the Destination Network and Destination Subnet Mask fields, enter the IP address and netmask for the
destination (the remote network to which the local network communicates). (See controller B in Figure 78.)
7. If you are using IKEv1 to establish a site-to-site VPN to a statically addressed remote peer, in the Peer Gateway
field, enter the IP address of the interface used by remote peer to connect to the L3 network. (See Interface B in
Figure 78.) If you are configuring an IPsec map for a dynamically addressed remote peer, you must leave the peer
gateway set to its default value of 0.0.0.0.
8. If you are using IKEv2 to establish a site-to-site VPN to a statically addressed remote peer, identify the peer
device by entering its certificate subject name in the Peer Certificate Subject Name field.
NOTE: To identify the subject name of a peer certificate, access the command-line interface and issue the command
show crypto-local pki servercert <certname> subject
9. The Security Association Lifetime parameter defines the lifetime of the security association, in seconds. The
default value is 7200 seconds. To change this value, uncheck the default checkbox and enter a value from 300 to
86400 seconds.
10. Click the Version drop-down list and select V1 to configure the VPN for IKEv1, or V2 for IKEv2.
11. Select the VLAN that contains the interface of the local controller which connects to the Layer-3 network. (See
Interface A in Figure 78.)
This determines the source IP address used to initiate IKE. If you select 0 or None, the default is the VLAN of
the controller’s IP address (either the VLAN where the loopback IP is configured or VLAN 1 if no loopback IP is
configured).
12. If you enable Perfect Forward Secrecy (PFS) mode, new session keys are not derived from previously used session
keys. Therefore, if a key is compromised, that compromised key does not affect any previous session keys. PFS
mode is disabled by default. To enable this feature, click the PFS drop-down list and select one of the following
Perfect Forward Secrecy modes:
l group1: 768-bit Diffie Hellman prime modulus group.
l group2: 1024-bit Diffie Hellman prime modulus group.
l group19: 256-bit random Diffie Hellman ECP modulus group.
l group20: 384-bit random Diffie Hellman ECP modulus group.
13. Select Pre-Connect to have the VPN connection established even if there is no traffic being sent from the local
network. If this is not selected, the VPN connection is only established when traffic is sent from the local
network to the remote network.
14. Select Trusted Tunnel if traffic between the networks is trusted. If this is not selected, traffic between the
networks is untrusted.
15. Select the Enforce NATT checkbox to always enforce UDP 4500 for IKE and IPSEC. This option is disabled by
default.
16. Add one or more transform sets to be used by the IPsec map. Click the Transform Set drop down list, select an
existing transform set, then click the arrow button by the drop-down list to add that transform set to the IPsec
map.
17. For site-to-site VPNs with dynamically addressed peers, click the Dynamically Addressed Peers checkbox.
a. Select Initiator if the dynamically addressed switch is the
initiator
of IKE Aggressive-mode for Site-Site VPN,
or select Responder if the dynamically addressed switch is the
responder
for IKE Aggressive-mode.
b. In the FQDN field, enter a fully qualified domain name (FQDN) for the controller. If the controller is defined
as a dynamically addressed responder, you can select all peers to make the controller a responder for all VPN